Search

Subscribe

High-Quality Fake IDs from China

Most troubling to authorities is the sophistication of the forgeries: Digital holograms are replicated, PVC plastic identical to that found in credit cards is used, and ink appearing only under ultraviolet light is stamped onto the cards.

Each of those manufacturing methods helps the IDs defeat security measures aimed at identifying forged documents.

The overseas forgers are bold enough to sell their wares on websites, USA TODAY research finds. Anyone with an Internet connection and $75 to $200 can order their personalized ID card online from such companies as ID Chief. Buyers pick the state, address, name and send in a scanned photo and signature to complete their profile.

ID Chief, whose website is based in China, responds personally to each buyer with a money-order request.

[...]

According to Huff of the Virginia agency, it has always been easy for the untrained eye to be fooled by fake IDs. The difference is, Huff said, that the new generation of forged IDs is "good enough to fool the trained eye."

The only real solution here is to move the security model from the document to the database. With online verification, the document matters much less, because it is nothing more than a pointer into a database. Think about credit cards.

Comments

The security lies not within the holder but the validator. If my validator - e.g. police officer does not have a computer/smart-phone/ that can validate the ID on the spot by connecting to some database or by accessing the secure chip inside it (think EU passports), he/she can be fooled with a forgery.

I am for a secure off-line validation method with an optional online improved validation.

People create fake credit cards all the time. Mine was stolen twice this year (first time ever) before realizing it was the young girl working the register at a local restaurant. We don't eat there anymore, but she probably still works there.

Konrads has a good point. In Vermont there are plenty of places where there's spotty cell signal so that can't be relied on. It wouldn't be hard to have a copy of the most likely requested information in the car but then it's a fairly simple matter to pick an ID that won't be easily accessible if you can plan ahead.

There's moving from the document to the database, using biometrics to tie people indelibly to their identities. Or there's dispersing the identity and credentialing system to make breaking any piece of it less valuable (biometric-on-token for those high-value transactions). Jujitsu is needed much more than brawn.

A similar problem was discovered in here India a few days ago. A huge amount of impressively made fake Indian currency notes have been found that actually incorporate almost all the anti-forgery techniques found in the real notes. "“Many covert features of genuine Indian currency were successfully imitated,” says a report by the Reserve Bank of India after forensic tests on FICN seized by the NIA. It says these features can be achieved only through “sophisticated machinery which is sold only to sovereign governments..."
A link to a nice national newspaper article: http://www.indianexpress.com/news/rs-16-000-cr-in-fakes-printed-in-pakistan-and-circulated-all-over/960280/0

The problem of fake ID's is actually much easier than that of counterfeit currency. If you make an exact copy of a $20, then you have $40. If you make an exact copy of an ID card, then you haven't gained anything. The only benefit you get is if you make an ID with different information than the "real" one.

This seems like a perfect place for digital signatures. I would envision a 3-tier system: the card has your picture, name, DOB, and ID number, whatever other info needs to be on the card. It has a reasonable level of anti-forging techniques, basically so that someone who is only equipped with eyeballs can use it in some way. It also has most or all of that info encoded digitally (I'm pretty sure a standard magstripe can't hold enough data to put a digital image on, but most other info it could), plus a digital signature by a state-owned key. That way bars can get a cheap reader that can verify age, and cops with a reader but no communications capabilities can verify ID.

And then of course, the database back-end is the most featureful, for those with access to it and the communication ability.

There are still attacks against the system, but it raises the bar, and while companies like the one the article is about would probably still exist, their products would be less useful and therefor likely in less demand.

Security has been moved from the document to the database for several important items of property in the UK (and I'm sure elsewhere). For example the 'Deeds' of a house or apartment which used to be proof of ownership are only of curiosity interest now; the MOT test of basic roadworthiness of a vehicle still results in a token certificate but as it says officially: "Your MOT certificate is a record of the MOT database."; the cops can check roadworthiness, insurance and ownership of a vehicle in one call to a database and I'm sure hell would freeze over before they would be convinced that my piece of paper was correct while their database call was false.

But therein lies the weakness for users - there's no external definitive reference to correct bad data caused by malice or error.

Credit Cards are a pretty poor example. Yes, the validity of the account is checked online, but the authenticity of the holder is verified locally.

Nearly anyone can adequately fake a signature after looking at it and trying it a few times. If further verification is used (photo ID) now you're relying on a separate system.

A better implementation of CCs would not have the signature on the card itself, but in the database. When you swipe the vendor would see the sig and compare it. Someone who's filched your card would not have direct access to the signature to modify or practice it.

@lazlo - that turns it into the trickier problem of who controls the back end.

Your patrol officer needs to check out-of-state licences, so your state has to pass all the data to the feds and relinquish control to a federal authority.
And you need to check Canadian/Mexican ones, so you need to get a copy of the Canadian/Mexican database - and of course you need to give them a copy of the US one.

Then at the airport you have a visitor from Iran so you need access to the Iranian passport DB and of course they then need access to the US one......

I met an illegal alien lately who claimed that for $500 he had purchased a WA state drivers license that passed the check back into the database. That's a pretty scary corruption of the security at both the document and the state validation and for a paltry price.

Moving the security from the document to the database solves only half of the problem. It gives you an easy way to verify the integrity of the document, but you still need to deal with all sorts of cloning and replay.
To take credit cards for example, the verifier will consult the database on the validity of a card but will accept also clones.

@Captain Obvious: The signature on the card has not been for identification purposes for a long time, if ever. It is there so the CC company can say in court that you read and agreed to the full agreement with them, including the part where they can change the terms at any time and your only recourse in disputes is binding arbitration with an arbitrator of their choice, in a location convenient to them. This is why merchants have been told not to accept cards with "Require I.D." or similar on the signature line.

Besides, I can't imagine a "signature verification" system based on those horrible P.O.S. (in at least two sense of the term) stylus/touch devices. Enough "slack" in the matching to allow all the noise would admit pretty much any vague squiggle.

Next time you use your credit card, try and sign a different signature. Let me know if it does not go through. I (out of laziness or if I am in a hurry) often put a squiggly for my signature, and no one has complained. The only time someone complained was in Germany. The funny thing is my credit card was not signed. So she said she will not let the transaction go through until I sign my card. So I signed my card and put a matching "signature" on the merchant's copy of the receipt.

Signatures are mostly used in disputes. So you would go to your credit card issuing bank and say: "hey! I never made that purchase! This is not my signature". You see any problems with that? Yup! Non-repudiation is virtually non exist ant.

That's standard. You sign your credit card to show that you have accepted the terms of the agreement. The merchants are not supposed to accept the card without it. It has nothing to do with your security.

From the article:
"For buyers from ID Chief and other companies, the easy-to-use online form does not come without risk. Buyers have reported identity theft and hundreds of thousands of dollars of debt in their names after buying from the Chinese forgers, authorities say."

This is confusing to me, because if the purchasers of the fake IDs are using false credentials (name, DOB, etc) on the card, how are the card manufacturers stealing their identity?

As ineffective as they are, the signatures are used for security. If you dispute a charge they contact the merchant and say "Show me the sig."

Many teller systems instruct the teller to ask for the card and compare the signatures. I've never had a person reject a crappy sig, but the machines will.

When I get carded for something (apparently there are 100s of items you must be 18 to buy) I'm annoyed so I refuse to sign properly, and the machine somehow detects that I didn't put enough effort into the signature and flags the attendant again.

It seems the vendors care less and less though, I always reach for the pen and am frequently surprised when I am not prompted to sign. It started with small purchases

Am I the only person who doesn't have an extremely consistent signature? I use the same style, and I'm sure a professional analyst could confirm multiple instances of my signature. But if I'm signing 5 different lines on a form my sig will look slightly different.

I guess I didn't have to sign enough by rote as a young person to develop a consistent signature.

P: Profit
X: cost of printing an exact copy
y: Market value of your product. If you print a million units of currency, you would not go spend it yourself. You will sell it to someone else. Last time I *ahem* checked it was 10:1 :)

P will be 40 if your cost is 0, and you don't use a middlewoman or money launderer; Y = 1

Would you believe that in the US, police and other government agencies may assume that the contents of a government data base are ALWAYS correct?

Couple of years back the NCIC had obviously bad info which kept a citizen in jail for a couple of days. The supreme court ruled that the database may be treated as gospel and the citizen had no recourse nor compensation for mistreatment due to the database.

As online databases age, they pick up more and more bad information. Since there is no incentive (legal nor economic) to keep them clean, online ID checking will have more and more false positives as time progresses.

I think the approach of digitally signed vital stats plus photo helps a lot with the issues you raise - a verifier without database access (out of state police, foreign country's immigration service, etc.) but with a list of relevant issuers' public keys, could verify that an ID was issued by the authentic source - doesn't address identities later found to be false, but it does catch false issuers.

If the system were adopted for North American driving licenses, for instance, there would be something like 50 US states + 31 Mexican states + 10 Canadian provinces + a few additional entities (Puerto Rico, DC, Distrito Federal, 3 Canadian territories, ...).

In principle, the national level in each country could sign intermediate certs for the regional entities. The verifiers would only need the current public keys for three countries.

From the article:
"For buyers from ID Chief and other companies, the easy-to-use online form does not come without risk. Buyers have reported identity theft and hundreds of thousands of dollars of debt in their names after buying from the Chinese forgers, authorities say."

And why do we trust the "authorities"? What better way to discourage false IDs?

An online ID database would be impractical in the real world for say a busy nightclub. The backed up line would make the TSA proud.
The nationally known music venue I worked at years ago was one of the first to have a device to photograph IDs on videotape.
A concern is that the state liquor control being only interested in prosecuting bars that didn't catch 100% of the fakes instead of the young a-dolts jeopardizing a business.

Well, if I read the name of an organization anymore in the paper I assume it's a honey pot of some type.

In any event, Bruce's idea is rather silly. Shifting the burden to the database solves nothing. First, databases are prone to error and everyone knows it because somewhere along the line the data crossed the hands of a human being and a human screwed it up. Second, even when the screw-up is not accidental databases are prone to subversion. State employes are notoriously underpaid and does it really make any sense to put the heart and soul of your identity system in the hands of someone making 30K a year.

I refuse to believe there is any correlation between licensed drivers and road safety. A drivers license is just too easy to get in the US. Everyone who drives here can attest to the unsafe behavior of too many drivers, the overwhelming majority of whom are licensed.

But the article also says that buyers are asked to pay for the fake ID with a Money Order. Since Money Orders can be bought most places for cash, without showing any form of ID, and ANY name can be signed on the "Purchaser for Drawer" line, it seems the buyers of the IDs don't have to give up any real information about themselves, including a CC number.

@John (cc: Adam) - I suspect your claim of *zero* safety benefit from licensing is a way of signaling your outrage at the many bad drivers, and that's fine. But almost certainly there's a positive correlation between the driver training that comes with licensing and driver skill.

This matters when states link driver licensing to citizenship, for example, prompting illegal immigrants to drive without *any* training. Before his run-in with (ahem, unlicensed) sex-workers, Governor Spitzer (D-NY) cited safety reasons for de-linking immigration status and driver licensing. Anti-immigrant factions in both parties mobbed him, of course, causing him to reverse the policy.

Licensing is not the only way or the best way to improve driving skills, but I think licensing policies generally improve skills by some margin.

Some of the quotes from this article come from the "Coalition for a Secure Driver's License."

I have seen this organization before (they were really active during the time REAL ID was being legislated) and my theory is that they are a non-profit front for companies which make ID cards/ID systems/databases.

So the attack vector moves to the network link. When online cc auth fails, the store drops back to a floor limit. If a network goes down, does airport security stop? Nope...the economic cost is too high (non security network failures at far far more common than security related ones).

Last year I needed a solicitor to help sort out my deceased mother's estate. UK law apparently requires the solicitor to verify identity. With photo ID, to prove you're the person the identity documents belong to. With no employer's photo ID and no photo driving licence this could have been tricky. Delving in a drawer I eventually uncovered a decades old expired passport. I told the solicitor that was all I had, if that wasn't good enough I'd have to buy forged ID off the Web.

She accepted the old passport, but perhaps I should get some fake ID in my own name while I still can.

The states should go back to the old laminated Polaroid photo driver licenses. They were much harder to forge and most importantly you had to physically stand in front of the camera when you had your picture taken. You couldn't just take a photo with a digital camera and email it and some fake info half way around the world and then get in the mail a week later. Of course there wasn't anywhere to put the government's precious biometric identifiers so there's no point considering it.

Err not sure who told you that but it's not the general case. Many solicitors insist these days for a couple of self interested reasons,

1, It helps ensure they get paid...
2, It helps keep them (not you) clear of money laudering legislation (such are the high fees they charge).

In the UK getting a legitimate photo ID is not that difficult to do (oh and as most employers have been "brow beaten" by the last Gov in an attempt to push UK ID cards, you will need real photo ID if you plan to change jobs or open a new bank account).

What you need is an original or copy "birth certificate" and two signed photos and go get a passport, take the passport down to a DVLA office and get a provisional licence using the passport.

That usually gives you two bits of photo ID but some people still insist on full passporrt so you might have to go pass the test.

It's actualy harder to get a Utility or Council tax bill simply because it involves a load of grief if you are not "the house holder" unless the checker will take a mobile phone bill or bank statment. Many have been forced to accept "Landlords letters" because of the number of people who have to rent rooms in private homes just to get a roof over their heads.

However some banks will let you open an account with just the Passport and Learner Licence and Landlords letter, and mobile phone companies will quite happily accept a direct debit from the bank account.

Thus the key to all this "crap" is the Birth Certificate, which has no bio-information on it other than your sex.

Does it have to be your "Birth Certificate" err actually no, the lack of bio-checks and other information mean that knowing the full name and that of the listed parents as well as the date of birth and a reasonable excuse (house fire) is often all you'll need to get a copy of anybodies birth certificate.

There used to be (and may well still exist) a way to get a "clean birth cert" by walking around a remote cemetery and looking for the names of children who died before they were 18. This was detailed in the Frederic Forsyth book "Day of the Jackle" many many years ago.

There are other tricks you can use using "deed poll" certificates and having a birth certificate indicating Northern Ireland to getan Irish Republic Passport... All of which has been documented in many places on the Internet.

As a general rule of thumb the UK government does not care who is in the UK as long as they don't break the law and pay there taxes (as it's the money they want).

It is only because some influential idiots in their dotage believe (incorrectly) that "johnny foreigner" is in the UK to steal jobs and women in the same way the Vikings were alleged to...

The simple fact is the UK and England in particular is probably (depending on how you measure it) the No1 "mongeral nation" on the face of the planet with more than half of the current UK "born and bred" population having immigrant parents in less than four generations and "inter faith/racial/national" marriages being quite normal.

There is even an oddly funny (as in peculiar) side to it with some UK Nationals belonging to organisations with "nationalistic agenders" being accused of racism by the "influential idiots" etc even though these organisations have many races and creads as members...

This seems delightfully suited to produce denial-of-service attacks. Get a fake ID in the name of the person you want to interfere with, arrange to let it be known to the authorities that there's a fake ID in that name (and ID number of whatever kind) floating around.

The ID has a public key embedded in side it. That key is used to encrypt the card identifier and transmitted to a government/employment DB that holds a private key for this ID, which returns with an image for the ID and other relevant data.

If these three things don't match, then the person is not who they claim.
1) Face in front of you
2) face on the ID card in their hand
3) Image of the ID card (and face) provided by the server

Setting up encrypted, read-only storage for off-line use at key border locations wouldn't be too difficult either. Weekly updates of the data is probably often enough - just want ID users that updates to these systems may require 7 days.

This doesn't do anything for disconnected validations, but a subset of the DB for specific locale or without any image data could make portable versions possible. Invalidating a key is already something solved. Expiration dates - solved. This stuff has been thought thru pretty well by the GNUpg folks.

Physical government issued ID has always been easy to fake. So are databases. There's a well known group of fraudsters that issue EU passports called 'plywood' passports, which are entered in a database and real (you can travel on them). They just add your picture and bribe whoever works at the passport office. -1 for database ID.

Where I live organized crime have their girlfriends go work for insurance and other corporations where they can edit the database at will. (Maybe MIT's CryptDB can prevent this). Another problem is the database itself being stolen giving somebody unlimited access to it. -3 for database ID.

Seems some sort of crypto implementation like the GPG web of trust is the only thing guaranteed to work. This will only get worse, as hackers will soon be able to fake DNA and any other biometric authentication

Several years ago a company in New Hampshire tried to do something like that. They wanted to sell an ID scanner/mini LCD screen to grocery stores for I believe the verification of ID cards when paying with check. Scan the card, the photograph from the database appears on the screen momentarily.

The state of New Hampshire thought it was a reasonable idea, and either sold the photograph database to the company, or gave them a live connection to it.

At which point the people of New Hampshire promptly pissed their pants. The resulting brouhaha resulted in states and Congress passing laws restricting access to DMV photograph archives (and in a couple of states, like New Hampshire, a citizen may remove their photograph from the database (a law which I fully support.)

The company might have been more successful trying such a project after 9/11 and definitely starting in a state that isn't as libertarian leaning as New Hampshire.

For what it's worth, and no one's brought this up, but I think there's a good chance that identification of the future may happen via facebook. It offers quite a lot of features--citizens can choose how much information they put up and the circumstances under which it is revealed. Facebook can determine the validity of information using algorithms which assess behavior. (An individual claims to be 22, but 90% of the friends they interact with are between 13 and 15, so the computer would say that the age claim isn't reasonably reliable.)

Truthfully though, I can't figure out if this is a positive step forward for society.

If the article is anything to go buy, these fake licenses are of absolutely no consequence. Let's look at the use cases, as presented by some guy who wants G&D, de la Rue, or whomever to make more dough:

Underage drinking — if an adult wants to drink, big bleeping deal. Make the drinking age 18.

Building entrance — if they're letting anyone in who has an ID, they're letting anyone in. It makes no difference whether it's real or fake. Everyone's got one, and unless yours claims to be for somebody on the most-wanted list nobody cares what the name is.

Aviation security— ID checks for passengers are intended to protect airline revenue and make DHS appear to be doing something useful. The second is unaffected, and failure of the first is not a problem government should address.

Employment verification — how exactly will harder-to-counterfeit ID prevent employers from looking the other way? And if it does, surely the cost of bribing a government employee to issue you an authentic ID is worth the benefit of a salary.

In conclusion, additional document security in this application is attempting to solve a problem that does not, in fact, exist. We don't even need to address whether the cost exceeds the benefits.

>As online databases age, they pick up
>more and more bad information. Since
>there is no incentive (legal nor economic) to keep them clean, online ID
>checking will have more and more false
>positives as time progresses.

No, they have incentive to get IDs correct. Indeed, DMVs currently use facial recognition to identify licenses using too similar of faces and will ask both parties to bring in additional identification paperwork to verify it's two unique persons and not one person with two licenses.

>Couple of years back the NCIC had
>obviously bad info which kept a citizen
>in jail for a couple of days.
>
>(Herring v. United States, Johnson v.
>Scotts Bluff County Sheriff's Dept.)

Might want to READ the citations you make.

In neither instance was it an NCIC problem.

In both cases NCIC flagged the individual, and the arresting department followed proper procedure and verified the warrant with the issuing agency.

In the first case the issuing agency confirmed the warrant initially, then called back 15 minutes later to correct it and say the warrant had been withdrawn. (a search of the person's vehicle had already be conducted however, raising a question if the search was unlawful).

In the second case, the warrant itself was wrong because of sloppy work of the issuing agency misidentified the person who was subject to it (using her birthday and other correlating information with a shared name for another person).